• Tor hidden services / TLS for binkp

    From Oli@21:1/151 to All on Thu Oct 10 22:03:41 2019
    Is anyone interested in testing binkp connections over Tor (hidden service) and/or direct TLS*?

    My node supports both for incoming and outgoing connections. Are there other nodes in fsxnet that are reachable with a .onion address or offer direct TLS?

    I also would like to standardize Tor and TLS for binkp.

    * as in cleartext considered obsolete**
    ** https://tools.ietf.org/html/rfc8314


    * Origin: 🌈 (21:1/151)
  • From Al@21:3/107.1 to Oli on Thu Oct 10 13:19:12 2019
    Is anyone interested in testing binkp connections over Tor (hidden service) and/or direct TLS*?

    The TLS option is intersting.

    My node supports both for incoming and outgoing connections. Are there other nodes in fsxnet that are reachable with a .onion address or offer direct TLS?

    How do you setup your binkp for TLS?

    Ttyl :-),
    Al

    --- MagickaBBS v0.12alpha (Linux/x86_64)
    * Origin: Equinox BBS - Penticton, BC Canada (21:3/107.1)
  • From Oli@21:1/151 to Al on Thu Oct 10 22:25:00 2019

    How do you setup your binkp for TLS?

    i'm using haproxy for incoming connections, stunnel should also work

    in the binkd nodelist:
    node 5:6/7 -pipe "ncat --ssl-alpn binkp *H *I" example.com:24553


    * Origin: 🌈 (21:1/151)
  • From Alterego@21:2/116 to Oli on Fri Oct 11 12:35:23 2019
    Re: Tor hidden services / TLS for binkp
    By: Oli to All on Thu Oct 10 2019 10:03 pm

    Is anyone interested in testing binkp connections over Tor (hidden
    service) and/or direct TLS*?

    I might have a play with onion - I see opnsense supports it - so that's probably where I'll start.

    Now sure how the BBS will route to it, but I'll figure that bit out. (Know nothing about tor - except how to spell it...)
    ...δεσπ

    ... Among economists, the real world is considered to be a special case.
    --- SBBSecho 3.10-Linux
    * Origin: Alterant | An SBBS in Docker on Pi! (21:2/116)
  • From Oli@21:1/151 to Alterego on Fri Oct 11 21:19:23 2019
    Is anyone interested in testing binkp connections over Tor
    (hiddenservice) and/or direct TLS*?

    I might have a play with onion - I see opnsense supports it - so
    that's probably where I'll start.

    :)
    I never used opnsense, but it looks like it's easy to configure a hidden service. If you will post the created onion address, I'll try to send you a netmail over Tor.

    Now sure how the BBS will route to it, but I'll figure that bit out.
    (Know nothing about tor - except how to spell it...)
    ...λξεγ

    If this doesn't explain everything, just ask. https://wiki.opnsense.org/manual/how-tos/tor.html#hidden-services

    Good luck!


    * Origin: 🌈 (21:1/151)
  • From Oli@21:1/151 to Oli on Sun Oct 13 12:48:06 2019
    How do you setup your binkp for TLS?

    i'm using haproxy for incoming connections, stunnel should also work

    in the binkd nodelist:
    node 5:6/7 -pipe "ncat --ssl-alpn binkp *H *I" example.com:24553

    My reply could have been a little bit longer, I'm trying again with some more details, even stuff many already know ... :)

    Preface: TLS and SSL are often used synonymously. SSL is the older standard that is deprecated and replaced by TLS. Many applications still use SSL in their name, with command line paramaters, configuration options or in the documentation. They always use TLS by default (there might be some rare exceptions). So if you read SSL it means TLS most of the time (the last SSL version 3.0 is from 1996, TLS 1.0 from 1999, 1.2 from 2008, 1.3 from 2018). For
    some aesthetic or habitual reasons I also like "SSL" better than "TLS".


    There are basically two ways to start a TLS session:

    1) Implicit (or direct) TLS: client and server directly start the TLS session, after the connection has been established.

    2) Opportunistic TLS: client and server start with an unencrypted cleartest connection and after some chit chat, they agree to upgrade the connection to TLS. (For SMTP, IMAP, NNTP, XMPP, IRC and other protocols it is know as STARTTLS).
    https://en.wikipedia.org/wiki/Opportunistic_TLS

    Until recently STARTTLS was the prefered method to enable smooth transitions from unencrypted to TLS encrypted connections without any involvement from the user. Since the Snowden leaks in 2013 a lot has changed and the IETF is pushing
    towards implicit TLS now ("Cleartext Considered Obsolete": https://tools.ietf.org/html/rfc6409).

    As far as I know (and I might be wrong, please correct me), the only binkp mailer that supports TLS is MysticBBS. It's not documented, but the wiki states
    that it is "opportunistic SSL (TLS v1.2+) using a proprietary extension of the
    BINKP protocol". I guess it would not be very hard to reverse engineer the binkp extension, if you capture the data of a binkp session between two MysticBBS instances. Or wait until the author releases a documentation. Then support for the opportunistic TLS extension could be added to other mailers too.

    Honestly, I think we should forget about opportunistic TLS for binkp. Implicit TLS is simpler to implement, does not have the weaknesses of opportunistic encryption and can be added to servers that don't support TLS natively.

    To add TLS support to a binkp server you need a so called TLS termination proxy
    for TCP connections. Servers that offer that functionality are stunnel, nginx and haproxy. The proxy server listens on another port (let's say 24555) for incoming TLS connections from the internet and forwards them in cleartext to your local binkp server on port 24554.

    Setting up TLS for the server side is quite straight-forward and should work with any binkp server. I would recommend stunnel, it is easy to configure. The most powerful is haproxy, but it has a million configuration parameters you'll never use and a weird config syntax. Nginx might be interesting, if you're already using it (I haven't tried the tcp proxy in nginx).

    Maybe a step-by-step howto would be useful.

    And then there is the other side: how to make a TLS connection from a binkp client? That is a post for another day ...





    * Origin: 🌈 (21:1/151)
  • From poindexter FORTRAN@21:4/122 to Oli on Sun Oct 13 07:18:44 2019
    Re: Tor hidden services / TLS for binkp
    By: Oli to Oli on Sun Oct 13 2019 12:48 pm

    configure. The most powerful is haproxy, but it has a million configuration parameters you'll never use and a weird config syntax. Nginx might be interesting, if you're already using it (I haven't tried the tcp proxy in nginx).

    Nginx is fast becoming my favorite; I grew up on Apache but just set up a reverse proxy with Nginx - the synax and the config file layout is nice, and it
    didn't take very long to set up the reverse proxy.
    --- SBBSecho 3.09-Win32
    * Origin: http://realitycheckbbs.org (21:4/122)
  • From Oli@21:1/151 to poindexter FORTRAN on Sun Oct 13 17:33:03 2019
    Nginx is fast becoming my favorite; I grew up on Apache but just set
    up a reverse proxy with Nginx - the synax and the config file layout
    is nice, and it didn't take very long to set up the reverse proxy.

    you mean a http reverse proxy? or one for binkp?


    * Origin: 🌈 (21:1/151)
  • From ryan@21:1/168 to poindexter FORTRAN on Sun Oct 13 09:56:41 2019
    Nginx is fast becoming my favorite; I grew up on Apache but just set up a reverse proxy with Nginx - the synax and the config file layout is nice, and it didn't take very long to set up the reverse proxy.

    IMO, nginx offers performance benefits over apache that make it a no brainer.

    --- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
    * Origin: monterey bbs (21:1/168)
  • From poindexter FORTRAN@21:4/122 to Oli on Sun Oct 13 12:08:28 2019
    Re: Tor hidden services / TLS for binkp
    By: Oli to poindexter FORTRAN on Sun Oct 13 2019 05:33 pm

    Nginx is fast becoming my favorite; I grew up on Apache but just set
    up a reverse proxy with Nginx - the synax and the config file layout
    is nice, and it didn't take very long to set up the reverse proxy.

    you mean a http reverse proxy? or one for binkp?

    I'm setting up a reverse proxy for some web apps at work - separate from Binkp.
    My comment was just that Nginx is a nice platform and was easy to config. It opens up lots of possibilities for me; I'm considering a move to Linux.
    --- SBBSecho 3.09-Win32
    * Origin: http://realitycheckbbs.org (21:4/122)
  • From poindexter FORTRAN@21:4/122 to ryan on Sun Oct 13 12:11:48 2019
    Re: Re: Tor hidden services / TLS for binkp
    By: ryan to poindexter FORTRAN on Sun Oct 13 2019 09:56 am

    IMO, nginx offers performance benefits over apache that make it a no brainer.

    Sounds like it. Apache's a sentimental favorite, I suppose.
    --- SBBSecho 3.09-Win32
    * Origin: http://realitycheckbbs.org (21:4/122)
  • From tallship@21:2/104 to poindexter FORTRAN on Tue Oct 15 03:17:35 2019
    On 13 Oct 2019, poindexter FORTRAN said the following...

    Re: Tor hidden services / TLS for binkp
    By: Oli to Oli on Sun Oct 13 2019 12:48 pm

    configure. The most powerful is haproxy, but it has a million configur parameters you'll never use and a weird config syntax. Nginx might be interesting, if you're already using it (I haven't tried the tcp proxy nginx).

    Nginx is fast becoming my favorite; I grew up on Apache but just set up a reverse proxy with Nginx - the synax and the config file layout is nice, and it didn't take very long to set up the reverse proxy.


    Isn't it though? I've stayed with Apache on Slackware, coz I know it
    backwards and forwards, but I do love Nginx and run it on other Unices.

    Stunnel is really straight-forward too, and perhaps the easiest to implement TLS for things like Gopher over standard ports and other things that don't actually have support for TLS.

    haproxy is the old standby, and arguably the most powerful, but it's a royal biotch to config.

    --- Mystic BBS v1.12 A43 2019/03/02 (Linux/64)
    * Origin: Vger.Cloud - NOMAD Internetwork (21:2/104)
  • From Joacim Melin@21:2/130 to tallship on Tue Oct 15 18:10:10 2019
    On 13 Oct 2019, poindexter FORTRAN said the following...

    Re: Tor hidden services / TLS for binkp
    By: Oli to Oli on Sun Oct 13 2019 12:48 pm

    configure. The most powerful is haproxy, but it has a million configu
    r
    parameters you'll never use and a weird config syntax. Nginx might be

    interesting, if you're already using it (I haven't tried the tcp prox
    y
    nginx).

    Nginx is fast becoming my favorite; I grew up on Apache but just set up a

    reverse proxy with Nginx - the synax and the config file layout is nice,
    and it didn't take very long to set up the reverse proxy.


    Isn't it though? I've stayed with Apache on Slackware, coz I know it backwards and forwards, but I do love Nginx and run it on other
    Unices.

    Stunnel is really straight-forward too, and perhaps the easiest to implement
    TLS for things like Gopher over standard ports and other things that
    don't
    actually have support for TLS.

    haproxy is the old standby, and arguably the most powerful, but it's a royal
    biotch to config.

    Weeeeell. I agree to disagree. There are * a lot * of good howto's and documentation on Haproxy. I've used it myself for years with six Apache web servers as backend except for a few weeks here and there when I tried to use Nginx as a reverse proxy and the same amount of web servers as backend. Nginx is, no doubt, very powerful but there are situations and configurations where it just doesn't work properly (hello Wordpress...) at all times. I always end up going back and maintaining my Haproxy / Apache combo and it's been nothing but rock solid for years. I can't say it's that much slower either to be honest.



    --- NiKom v2.5.0
    * Origin: Delta City (deltacity.se, Vallentuna, Sweden) (21:2/130.0)
  • From Nightfox to tallship on Tue Oct 15 12:50:32 2019
    Re: Re: Tor hidden services / TLS for binkp
    By: tallship to poindexter FORTRAN on Tue Oct 15 2019 03:17 am

    Isn't it though? I've stayed with Apache on Slackware, coz I know it backwards and forwards, but I do love Nginx and run it on other Unices.

    Apache and Slackware, that's probably an iconic combination from the mid 90s. I've heard about those two since I started using the internet in 1995. And I think I had heard about Slackware even earlier, when my dad started messing around with Linux on his PC at home. I imagine Apache and Slackware were (and maybe still are) the backbone of many sites on the internet.

    Nightfox
  • From Zoohouse@21:1/112 to Nightfox on Wed Oct 16 12:37:04 2019
    Nightfox wrote to tallship <=-

    I imagine
    Apache and Slackware were (and maybe still are) the backbone of many
    sites on the internet.

    You are defiantly right about Apache being the backbone of the internet.
    Apache is said to run about 46% of all websites online, something like that.

    -Zoo

    ___ MultiMail/Linux v0.49

    --- Mystic BBS/QWK v1.12 A43 2019/03/03 (Windows/32)
    * Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)
  • From Nightfox to Zoohouse on Wed Oct 16 11:38:50 2019
    Re: Re: Tor hidden services / TLS for binkp
    By: Zoohouse to Nightfox on Wed Oct 16 2019 12:37 pm

    You are defiantly right about Apache being the backbone of the internet. Apache is said to run about 46% of all websites online, something like that.

    I think Apache usage was quite a bit higher at one point. There is other server software that has been released in more recent years that has given Apache some copmetition.

    Nightfox
  • From Oli@21:1/151 to All on Thu Oct 17 00:41:12 2019
    You are defiantly right about Apache being the backbone of the
    internet. Apache is said to run about 46% of all websites online, something like that.

    If you include every single low-traffic website, this number might be more or less accurate. If you count bytes served, you get very different numbers. Apache is not that important anymore and it's market share is constantly declining. https://w3techs.com/technologies/comparison/ws-apache,ws-microsoftiis,ws-nginx

    As Apache is not a TCP proxy this is also a bit off-topic, so back to TLS ... ;)
    for testing purposes you can also use ncat to create a proxy.

    invoking binkd in inetd mode:
    ncat -l 24555 -k --ssl --ssl-cert test-cert.pem --ssl-key test-key.pem -c "binkd -i /etc/binkd/binkd.cfg"

    or forwarding incoming connections to any binkp server on port 24554:
    ncat -l 24555 -k --ssl --ssl-cert test-cert.pem --ssl-key test-key.pem -c "ncat
    localhost 24554"

    this command creates a self-signed certificate and key:
    openssl req -nodes -new -x509 -keyout test-key.pem -out test-cert.pem



    * Origin: 🌈 (21:1/151)
  • From Alterego@21:2/116 to Zoohouse on Thu Oct 17 10:19:15 2019
    Re: Re: Tor hidden services / TLS for binkp
    By: Zoohouse to Nightfox on Wed Oct 16 2019 12:37 pm

    You are defiantly right about Apache being the backbone of the internet. Apache is said to run about 46% of all websites online, something like
    that.

    I dont know how authorative this is - but I've refered to it for years:

    https://news.netcraft.com/archives/2019/09/27/september-2019-web-server-survey. html
    ...δεσπ

    ... Send in competition answers with your name, age and how old you are.
    --- SBBSecho 3.10-Linux
    * Origin: Alterant | An SBBS in Docker on Pi! (21:2/116)
  • From Adept@21:2/108 to Oli on Wed Oct 16 23:02:37 2019
    more or less accurate. If you count bytes served, you get very different numbers. Apache is not that important anymore and it's market share is

    If you count bytes served, aren't we basically talking about Netflix? Perhaps with a side of Youtube and Amazon prime video?

    --- Mystic BBS v1.12 A43 2019/03/03 (Windows/64)
    * Origin: Storm BBS (21:2/108)
  • From Zoohouse@21:1/112 to Alterego on Thu Oct 17 08:07:05 2019
    https://news.netcraft.com/archives/2019/09/27/september-2019-web-server-su html

    I had not realize how steep the drop off has been since a few years ago. wow.

    -Zoo

    --- Mystic BBS v1.12 A43 2019/03/03 (Windows/32)
    * Origin: Black Flag <ACiD Telnet HQ> blackflagbbs.com (21:1/112)